Category Archives: PECR

Only very recently I wrote about how the Liberal Democrats had been found by the Information Commissioner’s Officer (ICO) to have been in breach of their obligations under anti-spam laws (or, correctly, the ICO had determined it was “unlikely” the Lib Dems had complied with the law). This was because they had sent me unsolicited emails promoting their party without my consent, in contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The ICO told me that “we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals”.

Well, the reminder hasn’t worked: today I went on the Lib Dem site and noticed the invitation to agree that “The NHS needs an extra £8bn”. Who could disagree? There was a box to enter my email address and “back our campaign”. Which campaign did they mean? Who knows? I assumed the campaign to promote NHS funding, but there was no privacy notice at all (at least on the mobile site). I entered an email address, because I certainly agree with a campaign that the NHS needs an extra £8bn pounds, but what I certainly didn’t do was consent to receive email marketing.

But of course I did…within eight hours I received an email from someone called Olly Grender asking me to donate to the Lib Dems. Why on earth would I want to do that? And a few hours later I got an email from Nick Clegg himself, reiterating Olly’s message. Both emails were manifestly, shamelessly, sent in contravention of PECR, only a couple of weeks after the ICO assured me they were going to “remind” the Lib Dems of the law.

Surely the lesson is the same one the cynics have told us over the years – don’t believe what politicians tell you.

And of course, only this week there was a further example, with the notorious Telegraph “business leaders” letter. The open letter published by the paper, purporting to come from 5000 small business owners, had in fact been written by Conservative Campaign Headquarters, and signatories were merely people who had filled in a form on the Conservative party website agreeing to sign the letter but who were informed in a privacy notice that “We will not share your details with anyone outside the Conservative Party”. But share they did, and so it was that multiple duplicate signatories, and signatories who were by no means small business owners, found their way into the public domain. Whether any of them will complain to the ICO will probably determine the extent to which this might have been a contravention, not of PECR (this wasn’t unsolicited marketing), but of the Data Protection Act 1998, and the Conservatives’ obligation to process personal data fairly and lawfully. But whatever the outcome, it’s another example of the abuse of web forms, and the harvesting of email addresses, for the promotion of party political aims.

I will be referring the Lib Dems matter back to the ICO, and inviting them again (they declined last time) to take enforcement action for repeat and apparently deliberate, or reckless, contraventions of their legal obligations under PECR.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

A few months ago, when I entered my email address on the Liberal Democrats’ website to say that I agreed with the statement

Girls should never be cut. We must end FGM

I hoped I wouldn’t subsequently receive spam emails promoting the party. However I had no way of knowing because there was no obvious statement explaining what would happen. But, furthermore, I had clearly not given specific consent to receive such emails.

Nonetheless, I did get them, and continue to do so – emails purportedly from Nick Clegg, from Paddy Ashdown and from others, promoting their party and sometimes soliciting donations.

I happen to think the compiling of a marketing database by use of serious and emotive subjects such as female genital mutilation is extraordinarily tasteless. It’s also manifestly unlawful in terms of Lib Dems’ obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which require specific consent to have been given before marketing emails can be sent to individuals.

On the lawfulness point I am pleased to say the Information Commissioner’s Office (ICO) agrees with me. Having considered my complaint they have said:

I have reviewed your correspondence and the organisations website, and it appears that their current practices would fail to comply with the requirements of the PECR. This is because consent is not knowingly given, clear and specific….As such, we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals.

Great. I’m glad they agree – casual disregard of PECR seems to be rife throughout politics. As I’ve written recently, the Labour Party, UKIP and Plaid Cymru have also spammed my dedicated email account. But I also asked the ICO to consider taking enforcement action (as is my right under regulation 32 of PECR). Disappointingly, they have declined to do so, saying:

enforcement action is not taken routinely and it is our decision whether to take it. We cannot take enforcement action in every case that is reported to us

It’s also disappointing that they don’t say why this is their decision. I know they cannot take enforcement action in every case reported to them, which is why I requested it in this specific case.

However, I will be interested to see whether the outcome of this case changes the Lib Dems’ approach. Maybe it will, but, as I say, they are by no means the only offenders, and enforcement action by the ICO might just have helped to address this wider problem.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

The trouble with asking for a second opinion is it might be worse than the first one. Reactiv Media get an increased penalty after appealing to the tribunal.

In 2013 the First-tier Tribunal (Information Rights) (“FTT”) heard the first appeal against a monetary penalty notice (“MPN”) imposed by the Information Commissioner’s Office (“ICO”). One of the first things in the appeal (brought by the Central London Community Healthcare NHS Trust) to be considered was the extent of the FTT’s jurisdiction when hearing such appeals – was it, as the ICO suggested, limited effectively only to allowing challenges on public law principles? (e.g. that the original decision was irrational, or failed to take relevant factors into account, or took irrelevant factors into account) or was it entitled to approach the hearing de novo, with the power to determine that the ICO’s discretion to serve an MPN had been exercised wrongly, on the facts? The FTT held that the latter approach (similar to the FTT’s jurisdiction in appeals brought under the Freedom of Information Act 2000 (FOIA)) was the correct one, and, notably, it added the observation (at para. 39) that it was open to the FTT also to increase, as well as decrease, the amount of penalty imposed.

So, although an appeal to the FTT is generally a low-risk low-cost way of having the ICO’s decision reviewed, it does, in the context of MPNs served either under the Data Protection Act 1998 (DPA) or the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), potentially carry the risk of an increased penalty. And this is precisely what happened when a direct marketing company called Reactiv Media recently appealed an ICO MPN. Reactiv Media bad been held to have made a large number of unsolicited telephone calls to people who had subscribed to the Telephone Preference Service (“TPS”) – the calls were thus in contravention of Reactiv Media’s obligations under regulation 21 of PECR. The ICO determined that this constituted a serious contravention of those obligations, and as some at least of those calls were of a kind likely to cause (or indeed had caused) substantial damage or substantial distress, an MPN of £50,000 was served, under the mechanisms of section 55 of the DPA, as adopted by PECR.

Upon appeal to the FTT, Reactiv Media argued that some of the infringing calls had not been made by them, and disputed that any of them had caused substantial damage or distress. However, the FTT, noting the ICO’s submission that not only had the MPN been properly served, but also that it was lenient for a company with a turnover of £5.8m (a figure higher than the one the ICO had initially been given to understand), held that not only was the MPN “fully justified” – the company had “carried on its business in conscious disregard of its obligations” – but also that the amount should be increased by 50%, to £75,ooo. One presumes, also, that the company will not be given a further opportunity (as they were in the first instance) to take advantage of an early payment reduction.

One is tempted to assume that Reactiv Media thought that an appeal to the FTT was a cheap way of having a second opinion about the original MPN. I don’t know if this is true, but it if is, it is a lesson to other data controllers and marketers that, after an appeal, they might find themselves worse off.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

On the 11th of April the Liberal Democrats announced that they would introduce a “Digital Rights Bill” if they were to form part of a coalition government in the next parliament. Among the measures the bill would contain would be, they said

Beefed up powers for the Information Commissioner to fine and enforce disciplinary action on government bodies if they breach data protection laws…Legal rights to compensation for consumers when companies make people sign up online to deliberately misleading and illegible terms & conditions

I found this interesting because the Lib Dems have recently shown themselves particularly unconcerned with digital rights contained in ePrivacy laws. Specifically, they have shown a lack of compliance with the requirement at regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). This regulation forbids the sending of direct marketing by email unless the recipient has notified the sender that she consents to the email being sent. The European directive to which PECR give effect specifies that “consent” should be taken to have been given only by use of

any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an Internet website

And the Information Commissioner’s Office (ICO), which regulates PECR, explains in guidance [pdf] that

the person must understand what they are consenting to. Organisations must make sure they clearly and prominently explain exactly what the person is agreeing to, if this is not obvious. Including information in a dense privacy policy or hidden in ‘small print’ which is hard to find, difficult to understand, or rarely read will not be enough to establish informed consent…consent must be a positive expression of choice. It does not necessarily have to be a proactive declaration of consent – for example, consent might sometimes be given by submitting an online form, if there was a clear and prominent statement that this would be taken as agreement and there was the option to opt out. But organisations cannot assume consent from a failure to opt out

But in July last year I began conducting an experiment. I put my name (actually, typed my email address) to a statement on the Lib Dem website saying

Girls should never be cut. We must end FGM

I gave no consent to the sending of direct email marketing from the Lib Dems, and, indeed, the Lib Dems didn’t even say they would send direct email marketing as a result of my submitting the email address (and, to be clear, the ICO takes the, correct, view [pdf] that promotion of a political party meets the PECR, and Data Protection Act, definition of “marketing”). Yet since October last year they have sent me 23 unsolicited emails constituting direct marketing. I complained directly to the Lib Dems, who told me

we have followed the policies we have set out ion [sic] our privacy policy which follow the guidance we have been given by the ICO

which hardly explains how they feel they have complied with their legal obligations, and I will be raising this as a complaint with the ICO. I could take the route of making a claim under regulation 30 of PECR, but this requires that I must have suffered “damage”. By way of comparison, around the same time I also submitted my email address, in circumstances in which I was not consenting to future receipt of email marketing, to other major parties. To their credit, none of the Conservatives, the SNP and the Greens have sent any unsolicited marketing. However, Labour have sent 8 emails, Plaid Cymru 10 and UKIP, the worst offenders, 37 (there is little that is more nauseating, by the way, than receiving an unsolicited email from Nigel Farage addressing one as “Friend”). I rather suspect that consciously or not, some political parties have decided that the risk of legal or enforcement action (and possibly the apparent ambiguity – although really there is none – about the meaning of “consent”) is so low that it is worth adopting a marketing strategy like this. Maybe that’s a sensible act of political pragmatism. But it stinks, and the Lib Dems’ cavalier approach to ePrivacy compliance makes me completely doubt the validity and sincerity of Nick Clegg’s commitment to

enshrine into law our rights as citizens of this country to privacy, to stop information about us being abused online

And, as Pat Walshe noticed the other day, even the Lib Dems’ own website advert inviting support for their proposed Digital Rights Bill has a pre-ticked box (in non-compliance with ICO guidance) for email updates. One final point, I note that clicking on the link in the first paragraph of this post, to the Lib Dems’ announcement of the proposed Bill, opens up, or attempts to open up, a pdf file of a consultation paper. This might just be a coding error, but it’s an odd, and dodgy, piece of script.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Imagine this. You enter a shop (let’s call it Shop A) to browse, and you look at an item of interest (let’s call it Item Q). While you do so, an unbeknown to you, a shop assistant places a sticker on your back, revealing that you looked at this item, and when and where. You leave and a few days later enter another shop, where a shop assistant says “I understand a few days ago you were interested in Item Q, here are some similar items you might be interested in”.

You might initially think “how helpful”, but afterwards you might start to wonder how the second shop knew about your interest, and to think that it’s a bit off that they seemed to have been able to track your movements and interests.

But try this as well. You go to your doctor, because you’re concerned about a medical condition – let’s say you fear you may have a sexually transmitted disease. As you leave the doctor secretly puts a sticker on your back saying when and where you visited and what you were concerned about. You later visit a pharmacy to buy your lunch. While you queue to pay an assistant approaches you and says openly “I understand you’ve been making enquiries recently about STDs – here are some ointments we sell”.

The perceptive reader may by now have realised I am clunkily trying to illustrate by analogy how cookies, and particularly tracking cookies work. We have all come to curse the cookie warning banners we encounter on web sites based in Europe, but the law mandating them (or at least mandating the gaining of some sort of consent to receive cookies) was introduced for a reason. As the Article 29 Working Party of European Data Protection Authorities noted in 2011

Many public surveys showed, and continue to show, that the average internet user is not aware that his/her behaviour is being tracked with the help of cookies or other unique identifiers, by whom or for what purpose. This lack of awareness contrasts sharply with the increasing dependence of many European citizens on access to internet for ordinary everyday activities

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC [the 1995 Data Protection Directive], inter alia, about the purposes of the processing

Of course, the requirement that users of electronic communications networks should give consent to the storing of or gaining access to information stored in their terminal equipment (i.e. that they should consent to the serving of cookies) has not been an easy one to implement, and even the Information Commissioner’s Office’s in 2013 rowed back on attempts to gather explicit consent, claiming that there was now no need because people were more aware of the existence of cookies. But I made what to me was an interesting observation recently when I was asked to advise on a cookie notice for a private company: it appeared to me, as I compared competitors’ sites, that those which had a prominent cookie banner warning actually looked more professional than those that didn’t. So despite my client’s wariness about having a banner, it seemed to me that, ironically, it would actually be of some professional benefit.

I digress.

Just what cookies are and can achieve is brought sharply home in a piece on the Fast Company website, drawing on the findings of a doctoral research student at the University of Pennsylvania. The paper, and the article, describe the use of web analytics, often in the form of information gathered from tracking cookies, for marketing in the health arena in the US. Tim Libert, the paper’s author discovered that

over 90% of the 80,000 health-related pages he looked at on the Internet exposed user information to third parties. These pages included health information from commercial, nonprofit, educational, and government websites…Although personal data is anonymized from these visits, they still lead to targeted advertisements showing up on user’s computers for health issues, as well as giving advertisers leads (which can be deciphered without too much trouble) that a user has certain health issues and what issues those are

The US lacks, of course, federal laws like PECR and the DPA which seek – if imperfectly – to regulate the use of tracking and other cookies. But given that enforcement of the cookie provisions of PECR is largely non-existent, are there similar risks to the privacy of web users’ health information in the UK?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

I greatly enjoyed yesterday’s (2 March 2015) Data Protection Practitioner Conference run by the Information Commissioner’s Office. I was representing NADPO on our stand, and the amount of interest was both gratifying and illustrative of the importance of having a truly representative body for professionals working in the field of information rights. NADPO were at pains – in running our prize draw (winners picked at random on stage by Information Commissioner Christopher Graham) – to make sure we let participants know what would or would not happen with their details. Feedback from delegates about this was also positive, and I’m pleased at least one privacy professional picked up on it. Therefore the irony of the following events is not lost on me.

I’d stayed overnight on Sunday, in a Macdonald hotel I booked through the agency Expedia. Naturally, I’m not one to encourage the sending to me of direct electronic marketing, and as the unsolicited sending of such marketing is contrary to regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 I didn’t expect to receive any, either from the agent or the hotel. Yet yesterday I did receive some, from the hotel group. So I’ve sent them this complaint:

I booked the hotel through your agent, Expedia.co.uk. As a professional working in the field of privacy and data protection I always make sure I opt out of any electronic marketing. Hence, when making my booking, I checked the Expedia box which said

“Check the box if you do not want to receive emails from Expedia with travel deals, special offers, and other information”.

“Expedia.co.uk may share your information with [suppliers] such as hotel, airline, car rental, and activity providers, who fulfill your travel reservations. Throughout Expedia.co.uk, all services provided by a third-party supplier are described as such. We encourage you to review the privacy policies of any third-party travel supplier whose products you purchase through Expedia.co.uk. Please note that these suppliers also may contact you as necessary to obtain additional information about you, facilitate your travel reservation, or respond to a review you may submit.”

I then consulted Macdonald Hotels’ privacy policy, but this seems to relate only to your website, and is silent on the use of clients’ data passed on by an agent.

Accordingly, I cannot be said to have consented to the sending by you to me of electronic marketing. Yet yesterday at 13.07 I received an email saying “Thank you for registering with Macdonald Hotels and Resorts…As a member of our mailing list you will shortly start to receive [further unsolicited electronic marketing].”

Ironically enough, I was in Manchester to attend the annual Data Protection Practitioners’ Conference run by the Information Commissioner’s Office (ICO). As you will be aware, the ICO regulates compliance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Before I raise a complaint with the ICO I would appreciate a) your removing me from any marketing database b) not receiving any further unsolicited marketing, and c) receiving your comments regarding your apparent breach of your legal obligations.

Each instance of unsolicited marketing is at best one of life’s minor irritants, but I have concerns that, because of this, some companies treat compliance with legal obligations as, at best, a game in which they try to trick customers into agreeing to receiving marketing, and at worst, as unnecessary. It may be that I received this particular unsolicited marketing from Macdonald Hotels by mistake (although that in itself might raise data protection concerns about the handling of and accuracy of customer data) but it happens too often. The media have rightly picked up on the forthcoming changes to PECR which will make it easier for the ICO to take enforcement actions regarding serious contraventions, but, sadly, I don’t see the lower level, less serious contraventions, decreasing.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

In October last year the Department for Culture Media and Sport (DCMS) announced a consultation to lower, or even remove, the threshold for the serving financial penalties on those who unlawfully send electronic direct marketing. I wrote at the time that

There appears to be little resistance (as yet, at least) to the idea of lowering or removing the penalty threshold. Given that, and given the ICO’s apparent willingness to take on the spammers, we may well see a real and significant attack on the scourge

The Information Commissioner’s Office (ICO) and DCMS both seemed at the time to be keen to effect the necessary legislative changes to amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) so that, per the mechanism at section 55A of the Data Protection Act 1998 (DPA), adopted by PECR by virtue of regulation 31, either a serious contravention alone of PECR, or a serious contravention likely to cause annoyance, inconvenience or anxiety, could give rise to a monetary penalty without the need to show – as now – likely substantial damage or substantial distress.

However, today, the Information Commissioner himself, Christopher Graham, gave vent to frustrations about delay in bringing about these changes:

Time and time again the Government talks about changing the law and clamping down on this problem, but so far it’s just that – talk. Today they are holding yet another roundtable to discuss the issue, and we seem to be going round in circles. The Government need to lay the order, change the law and bring in a reform that would make a real difference

So what has happened? Have representatives of direct marketing companies lobbied against the proposals? It would be interesting to know who was at today’s “roundtable” and what was said. But there was certainly an interesting tweet from journalist Roddy Mansfield. One hopes a report will emerge, and some record of the meeting.

One wonders why – if they are – marketing industry bodies might object to the proposed changes. The financial penalty provisions would only come into play if marketers failed to comply with the law. Spammers would get punished – the responsible companies would not.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Is Labour’s shiny new web widget “HowManyOfMe” compliant with the party’s obligations under electoral and ePrivacy law?

Regulations 102 and 106 of the Representation of the People (England and Wales) Regulations 2001 (as amended)1 mean that registered political parties can apply for a copy of the full electoral register, but they can only supply, disclose or make use of the information therein for “electoral purposes”. As far as I can see “electoral purposes” is nowhere defined, and, accordingly, I suspect it permits relatively broad interpretation, but, nevertheless, it clearly limits the use to which a political party can make use of electoral registration information.

With this in mind, it is worth considering whether the apparent use of such information by the Labour Party, in a new website widget, is a use which can be described as “for electoral purposes”. The widget in question invites people to submit their name (or indeed anyone else’s), email address and postcode and it will tell you how many voters in the country have that name. Thus, I find that there are 393 voters who have the name “Christopher Graham”. The widget then encourages users to register to vote. In small print underneath it says

in case you’re interested, this tool uses an aggregate figure from the electoral register and we’ve taken steps to protect the privacy of individuals

Well, I am interested. I’m interested to know whether this use of the electoral register is purely for electoral purposes. If it is, if its purpose is to encourage people to register to vote, then why does it need an email address? The widget goes on to say

The Labour Party and its elected representatives may contact you about issues we think you may be interested in or with campaign updates. You may unsubscribe at any point. You can see our privacy policy here.

But if they are using the electoral register to encourage people to give up email addresses which may then receive political marketing, surely this is stretching the use of “for electoral purposes” too far? Moreover, and despite the small print privacy notice, and the almost-hidden link to a generic privacy policy, any emails received by individuals will be likely to be sent in contravention of Labour’s obligations under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which give effect to the UK’s obligations under Directive 2002/58/EC. This is because regulation 22 of PECR prohibits, in terms, the sending of electronic direct marketing (and promotion of a political party constitutes such marketing) without the prior consent of the recipient. Consent, the Directive tells us, must be “a freely given specific and informed indication of the user’s wishes”. A vague description, as the widget here gives us, of what may happen if one submits an email address, and a statement about unsubscribing, do not legitimise any subsequent sending of direct marketing.

The email address I used is one I reserve for catching spammers; I’ve not received anything yet, but I expect to do so. I would be prepared to argue that any email I receive cannot be said to relate to the electoral purpose which permit use of the electoral register, and will be sent in contravention of PECR. As I said recently, one of the key battlegrounds in the 2015 general election will be online, and unless action is taken to restrain abuse of people’s personal information, things will get nasty.

1The legislation.gov.uk doesn’t provide updated (“consolidated”) versions of secondary legislation, so there’s no point in linking to their version of the regulations.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

It’s becoming increasingly clear that one of the key battlegrounds in the 2015 General Election will be online. The BBC’s Ross Hawkins reports that the Conservatives are spending large amounts each month on Facebook advertising, and Labour and UKIP, while not having the means to spend as much, are ramping up their online campaigning. But, as Hawkins says

the aim is not to persuade people to nod thoughtfully while they stare at a screen. They want consumers of their online media to make donations or, even better, to get their friends’ support or to knock on doors in marginal constituencies…[but] for all the novelties of online marketing, email remains king. Those Tory Facebook invoices show that most of the money was spent encouraging Conservative supporters to hand over their email addresses. Labour and the Conservatives send emails to supporters, and journalists, that appear to come from their front benchers, pleading for donations

I know this well, because in July last year, after growing weary of blogging about questionable compliance with ePrivacy laws by all the major parties and achieving nothing, I set a honey trap: I submitted an email address to the Conservative, Labour, LibDem, Green, UKIP, SNP and Plaid Cymru websites. In each case I was apparently agreeing with a proposition (such as the particularly egregious LibDem FGM example) giving no consent to reuse, and in each case there was no clear privacy notice which accorded with the Information Commissioner’s Office’s Privacy Notices Code of Practice (I do not, and nor does the ICO, at least if one refers to that Code, accept that a generic website privacy policy is sufficient in case like this). Since then, the fictional, and trusting but naive, Pam Catchers (geddit??!!) has received over 60 emails, from all parties contacted. A lot of them begin, “Friend, …” and exhort Pam to perform various types of activism. Of course, as a fictional character, Pam might have trouble enforcing her rights, or complaining to the ICO, but the fact is that this sort of bad, and illegal, practice, is rife.

To be honest, I thought Pam would receive more than this number of unsolicited emails (but I’m probably more cynical than her). But the point is that each of these emails was sent in breach of the parties’ obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which demands that recipients of electronic direct marketing communications must have given explicit consent prior to the sending. By extension, therefore, the parties are also in breach of the Data Protection Act 1998 (DPA), which, when requiring “fair” processing of personal data, makes clear that a valid privacy notice must be given in order to achieve this.

In recent years we have investigated complaints about political parties and referendum campaigners using direct marketing, and on occasion we have used our enforcement powers to prevent them doing the same thing again. Failure to comply with an enforcement notice is a criminal offence.

A data controller’s compliance, or lack thereof, with data protection laws in one area is likely to be indicative of its attitude to compliance elsewhere. Surely the time has come for the ICO at least to remind politicians that online privacy rights are not to be treated with contempt?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

In August this year I reported that the Information Commissioner’s Office (ICO) had effectively conceded it had no current powers to issue monetary penalties on spam texters. This was after the Upper Tribunal had indicated that in most cases the sending of such texts was not likely to cause substantial damage or substantial distress (this being part of the statutory test for serving a monetary penalty notice (MPN) for a serious contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003) (PECR).

What I’d forgotten were the reports of highly distasteful and in some cases highly distressing texts sent in May to festival-goers by the organisers of the Parklife festival in Manchester’s Heaton Park. The texts didn’t disclose that they were from the event organisers, but instead purported to come from “Mum” and were advertising extra events at the festival.

Regulation 23 of PECR outlaws the sending of direct marketing texts (and other direct marketing electronic communications) where the sender’s identity has been disguised or concealed.

As the Manchester Evening News reported at the time receiving the texts in question left many recipients who had lost their mothers distressed and upset.

And so it came to pass that, as the same newspaper reveals today, the ICO investigated complaints about the marketing, and appears to have determined that the sending of the texts was a serious contravention of PECR regulation 23, and it was of a kind likely to cause substantial distress. The paper reveals that an MPN of £70000 has been served on the organisers, and the ICO has confirmed this on its website, and the MPN itself lists a number of the complaints made by affected recipients.

So, I, and the ICO’s Steve Eckersley, were wrong – powers to serve MPNs for spam texts do still currently exist, although it must be said that this was an exceptional case: most spam texts are irritating, rather than as callous and potentially distressing as these. And this is why the Ministry of Justice is, as I have previously discussed, consulting on lowering, or dropping altogether, the “harm threshold” for serving MPNs for serious PECR contraventions.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.